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6 December 1971 


MEMORANDUM FOR: Chairman, United States Intelligence Board 

Security Committee 

SUBJECT : Proposed Guidelines lor ADP Disaster 

Prevention and Contingency Back-up Planning 


1 , Attached for Security Committee approval are Proposed 
Guidelines for ADP Disaster Prevention and Contingency Back-up 
Planning, These guidelines have been developed by the Computer 
Security Subcommittee in cooperation with the Support Staff of the 
Intelligence Information Handling Committee, and are designed for 
dissemination to the USIB Community to assist member organisations 
in addressing the problems of disaster prevention and contingency 
planning in automatic data processing operations, 

2, The proposed guidelines have been coordinated throughout 
the USIB Community at the Subcommittee level with the exception 

of the Atomic Energy Commission, which has not consistently 
participated in recent CSS meetings. All other Subcommittee 
members have concurred in the content of the proposed guidelines. 

3, Since promulgation of this paper is to be co-sponsored 
with the Intelligence Information Handling Committee, copies of 
the attachment are being furnished the 1HC Support Staff for IHC 
dissemination at this time. After SEGOM approval of the document, 
it will be forwarded to the Chairman, IHC for coordination with his 
Committee. 


"SIGHED , 11 


Att 


STAT 

Chairman 

Computer Security Subcommittee 


CCs Chief, IHC Support Staff w/att 
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AND CONTINGENCY BACK-UP PLANNING 

I . PURPOSE 6 DEC 1871 

To provide basic guidance for the development of a 
disaster prevention and contingency back-up program for 
insuring the continuous computer processing and exchange of 
vital information. To outline the major areas of concern and 
list conditions and procedures necessary to insure the 
protection of ADP assets. To list actions and procedures for 
consideration in the formulation of a contingency plan. 

II. APPROACH 

Guidance set forth herein is based on the premise that 
organizations relying heavily on computer system operations 
should develop an integrated ADP Disaster Prevention and 
Contingency Back-Up Program to minimize the severity and 
effects of unforeseen computer system disasters. Such 
planning should be a specific design factor integrated into 
total system planning for each individual system and its 
unique environment. 

III. GENERAL CONSIDERATIONS 

‘Potential causes of disaster vary considerably in their 
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probability of occurrence, degree of criticality and 
feasibility of preventive and/or back-up measures. Fires, 
explosions, toxic fumes, nuclear weapon detonation and the 
effects of natural disasters such as earthquakes, hurricanes 
and floods can be Immediately disastrous resulting In the 
death or serious Injury to personnel. The damage caused by 
such events to computer equipment, the physical structure 
housing the system, and the storage media may be disastrous 
for an extended period of time depending upon resource 
recovery capabilities. Other disruptive events such as 
outages of electric power or air conditioning, the loss of 
telecommunications facilities or the erasure of vital 
Information from magnetic storage media are not likely to be 
as serious because back-up measures can be provided. 
Although positive security actions and procedures can reduce 
the effects of riots, theft, sabotage and vandalism, these 
events can occur and result In disastrous operating 
consequences . 


IV. DISASTER ANALYSIS 

A disaster Includes any Incident or event which results 
In a critical disruption of the computer operations. 
Rescheduling of work loads according to user priority may be 
required depending upon the allowable delay of the most 
critical user processing requirements. Processing priorities 
may also be required If the disruption results In partial 
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operability of the system. The disruption can reach major 
proportions rendering the system Inoperable for a prolonged 
period of time and requiring movement of highest priority 
processing to an alternate computer site. 

The emergency or back-up actions needed to restore the 
capabilities of a computer system after a disaster has 
occurred should be proportionate to the critical effects of 
that disaster. These actions may be Identified through 
consideration of at least the following; 

1. The event/ cause or condition creating the disruption; 

2. The capability to restore the system; 

3. The total period of time the system Is expected to be 
nonoperat Iona 1 ; 

4. The tolerable time-limits of system inactivity based 
on user requirements and dependent upon the type of system; 

5. The feasibility of a degraded mode of system operation 
whereby critical processing could continue; and 

6. The availability of an alternate system capable of 
assuming the critical processing requirements for a 
specified period of time. 


V. MAJOR AREAS OF CONCERN AND PREVENTIVE MEASURES 

. The major areas of concern involve the protection of 
assets required for computer operation. The protection of 
ADR assets requires the implementation of various measures 
as part of a disaster prevention program. Security and 
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computer personnel should be alert to the possibility that a 
disruption In computer activity may be deliberate rather 
than accidental and should Investigate any situation where 
such evidence exists. Although the configuration of computer 
systems and the physical environment of computer centers 
vary, the following areas are applicable to all systems; 
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1, System Hardware; The mechanical, electronic, 
magnetic and electrical components of a computer system. 

a. Maintenance: Normal maintenance contracts with 
equipment vendors represent the initial preventive measure 
against a potentially serious disruption of operations. 

b. Engineering Support: Technical support should be 
available on a 24 hour on-site basis If the computer center 
requires such support. Back-up • of critical hardware 
components should be provided by the equipment vendor 
on-site or in a readily accessible location. 

c. Hardware Security: The implementation of measures 
such as memory protection and user/execut I ve modes of 
operation is recommended to insure protection of user data 
sets. 


2. System Software: Computer programs and procedures 
including system and user programs. 

a. Testing a New installation: Duplicate programs 
should be run on both the current and proposed system so 

that the data can be compared, tf duplicate testing Is not 
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feasible, a test deck should bo used to check the system’s 
logic. 


b. Program Changes and Testing: Extensive program 
debugging Is recommended to reduce the number of disruptions 
caused by software errors. Any request for a program change 
should be submitted in writing and the action authorized 
only by a responsible manager. The number of persons 
authorized to make changes in operating programs should be 
limited. Program testing should be subject to review by 
authorized personnel and not conducted solely by the person 
who wrote the program. 

c. Software Security: Software security measures such 
as user Identification and authorization should be used to 

reduce the possibility of unauthorized personnel accessing 
the system. 


3. System Operational Personnel: The individuals whose 
primary duties are concerned with the operation of the 
computer system. 

a. Selection of Key Personnel: Key personnel 

designated to continue the operation of a computer system 
should be briefed and provided written guidance as to their 
responsibilities and duties in the event of a disaster. 

b. Training of Key Personnel: Training programs 
should be developed which stress the proper handling and 
maintenance of computer system components. Key personnel 
should be broadly cross-trained in the event that certain 
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key personnel should be unable to respond to an emergency 
s i tuat i on . 

c. Personnel Security: Computer personnel, visitors 
and users constitute a theft and/or sabotage threat to the 
computer center. Restrictions on the number of people 
allowed unescorted access and or. the areas to which they 
have access are recommended. 


4. System Environment: The computer facility, 

supporting utilities and operational posture. 

a. Facility (General): The facility housing a 
computer system should be constructed of fire resistant 
building materials and equipped with appropriate smoke 
detection, heat sensing and fire fighting devices. Periodic 
safety checks of such devices for their operational 
capability is encouraged. The use of the FPMR and the 
National Fire Code volume 5, section 75 is recommended in 
the construction of computer facilities. Consideration 
should be given to maximum physical protection against the 
potentially catastrophic effects of natural disasters 
(hurricanes, earthquakes and floods) as well as conventional 
and nuclear weapons. 

b. Auxiliary Power and Air Conditioning: 
Malfunctions and failures of electric power and/or air 
conditioning are two of the major causes of disaster 
affecting a computer system. Provisions should be made for 
the use of an independent back-up power source as well as 
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providing for immediate repair or replacement of air 
conditioning equipment. Consideration of line monitors 
and/or overvoltage protectors to prevent damage from power 
failure and power surges is recommended . Security controls 
should be applied to reduce the possibility of willful or 
inadvertent damage to the electrical and air conditioning 
equ i pments . 


c. Physical Security and Control: Access to the 
facility housing the system by other than authorized 
personnel should be prohibited. The mechanisms installed to 
enhance the security of the computer system area should be 
controlled by personnel designated as responsible for their 
maintenance and integrity. All procedures relating to 
facility control should be in writing and made available to 
assigned personnel. 


5. Data Files: Storage areas for magnetic storage media 
should be located outside the main computer area, preferably 
in a vault or secure area depending upon security 
considerations. Proper temperature and humidity should be 
maintained and cleanliness restrictions should be observed. 
All appropriate executive programs, system documentation, 
operation manuals, etc., required for the computerized 
processing of information should be identified, duplicated, 
and safely stored. Security procedures should be installed 
to prevent unauthorized personnel from removing files such 
os magnetic tapes from the computer center. 
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6. Communication Lines: Requirements for protecting 
communication lines will vary depending upon the existence 
and location of remote terminals. The communication links 
from the central processor to the remote consoles are 
vulnerable to crosstalk, electromagnetic radiation and 
wiretaps. Unprotected data transmission should be 
eliminated by use of cryptograph I c techniques or by physical 
security measures. Back-up communication facilities should 
be available to reduce the effect of failures In the 
communication area. 

7. Supplies: Supplies that are essential to computer 
operations should be identified and accessibility to 
back-up supplies should be provided, 

VI. CONTI MGENCY PLANNING 

A manual or handbook detailing the computer center 
methods of operation In the event of a disaster should be 
prepared. It should specify the contingency or back-up 
actions to be taken, individual responsibilities for these 
actions and the follow-on Investigative and reporting 
requirements. The degree of Implementation of the 

contingency plan will depend upon the criticality of the 
d I saster . 

Planning for possible emergencies should consider the 
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recommendations listed below for disaster prevention and/or 
coping with disasters which have occurred. 

A. Prior Planning 

!• Duplication and storage of vital programs, 
documentation and data files In a readily accessible 
location, preferably off-site. 

2. A determination that the fire safety equipment and 
emergency plans are adequate to minimize damage from smoke, 
chemicals, water or fire. 

3. A determination that adequate electrical power, air 
conditioning equipment, and heating systems are available 
for back-up use. 

4. Training of computer personnel to insure that they 
are aware of proper procedures for operating and protecting 
equipment and are aware of their responsibilities In the 
event of a disaster. 

5. Up-to-date lists of emergency and support 
organizations and personnel with whom contact may be 
required. This may include medical centers, fire stations, 
security services and equipment maintenance services. 
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6. All data being processed should boar a priority of 
processing order. Users should be alert to the need for 
manual Information processing In the event computer 
processing Is not available for low priority processing. 

7. Copies of all disaster planning documentation should 
be provided to each major functional area supporting the 
organization. Specific roles and responsibilities of each 
supporting function should be closely coordinated. 

8. The contingency plan should be updated periodically 
to reflect changes in equipment, user requirements, 
personnel, and back-up computer compatibility and 
availability. 

B. Major Disaster Planning- Contingency planning for a 
major disaster which requires movement of computer 
processing activities to an alternate site should also 
consider the following recommendations: 

1. Prior Identification of an alternate computer system 
compatible with in-house systems that can be available If 
needed. Physical surrondfngs of the alternate system should 
conform to required security and safety standards. 


Identification and designation of personnel to 
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manage and operate the alternate system should be documented 
and updated as the need arises. 

3. The computer operations at the alternate site should 
be carefully documented. Among other issues, this document 
should address such Items as the transportation of alternate 
site computer personnel, their responsibilities during 
alternate site operations, the necessary security 
considerations for the computer environment and the transfer 
of classified data to the alternate site, and the priority 
processing order of data. 

^ . Periodic operation of the alternate computer system 
using the duplicate documentation, software and data files 
by the designated alternate system personnel should be made. 
Results should be compared with normal operations In order 
for changes to be effected If required. 

5. Instructions for the destruction of classified data 
and/or equipment under combat-emergency conditions where 
such classified materials may be reasonably expected to fall 
Into the possession of unauthorized persons. 

.C . Post Disaster Planning 

I. A determination of the criticality of the disaster 
considering anticipated time of system inoperability and 
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user processing requirements. 


2. Immediate notification to management and system 
users of the estimated length of delay In operations to 
allow the users to consider alternate operational methods. 

3. Notification of the appropriate higher levels of 
management If the time delay exceeds initial estimates. 

4. Contact with the appropriate emergency and support 
organizations depending upon the cause and extent of the 
disaster. 


5. A determination of the feasibility of continued 
computer operation in a degraded mode. 

6. Initiation of actions to move computer operations to 
an alternate site if conditions warrant the move. 

7. A determination that the disaster has not degraded 
the essential system hardware^ software or physical security 
features and that procedural security controls remain In 
effect . 
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